Month: October 2017

This is a little walkthrough of settng up a “production-like” vault server with etcd backend (Not really production, no TLS and one person with all the keys). Hashicorp Vault is incredibly easy to setup. Going through the dev walkthrough is pretty easy, but when you want to get a little more advanced, you start getting bounced around the documentation. So these are my notes of setting up a vault server with an etcd backend and a few policies/tokens for access. Consider this part 1, and in “part 2”, I’ll setup an ldap backend.

Q: Why etcd instead of consul?
A: Most of the places I know that run consul, run it across multiple datacenters, and a few thousand servers, and interacts with lots of different services. Even if the secrets are protected, the metadata is quite visible. I want a rather compact and isolated backend for my eventual cluster.

Let’s login as with the infranetwork token and attempt to write to compute. I have not yet created secret/infra/compute or secret/infra/network and I’m curious if infraadmin is needed to make those first.

I got blocked from creating a path inside of compute, and I didn’t need secret/infra/network created before making a child path. That infraadmin account is really not needed at all. Let’s go ahead and try infracompute.